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Intellectual Property Rights 
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server) which are, or may be, or may become, essential to the present document. 



Foreword 

This Technical Specification (TS) has been produced by ETSI Technical Committee Lawful Interception (LI). 
The present document is part 4 of a multi-part deliverable. Full details of the entire series can be found in part 1 [2]. 



Introduction 



The present document focuses on layer 2 interception of IP-encoded information. It is to be used in conjunction with 
TS 102 232-1 [2], in which the handling of the intercepted information is described. 
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Scope 



The present document specifies Lawful Interception for an Access Provider that has access to layer 2 session 
information and that is not required to have layer 3 information. In this case, the focus of Lawful Interception (LI) for IP 
Network Access is on the portion of the network, commonly referred to as "layer 2 interception", that facilitates 
subscriber access to the Public IP network. 

The present document describes the LI at the interception domain of the access network. 

The specification contains: 

• a stage 1 description of the Lawful Interception service; 

• a stage 2 description of the information flows between the functional entities (including the information 
elements involved) and triggering events; and 

• a stage 3 description of the protocol and procedures to be used in mapping from stage 2 information flows and 
elements to Intercept Related Information (IRI) and Content of Communication (CC). 

The present document is consistent with the definition of the Handover Interface, as described in TS 102 232-1 [2]. 

NOTE 1: Layer 3 interception is described in TS 102 232-3 [12]. 

NOTE 2: Layer 2 interception is not applicable to the PS domain of the GSM/UMTS networks (TS 123 060 [15]). 
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http://docbox.etsi.org/Reference . 

NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee 
their long term validity. 
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Definitions and abbreviations 



3.1 Definitions 

For the purposes of the present document, the terms and definitions given in TS 102 232-1 [2], TS 102 232-3 [12] and 
the following apply: 

access provider: Communication Service Provider (CSP), providing access to networks 

NOTE 1 : APs generally provide dial-up access through a modem and PPP connection, though companies that offer 
Internet access with other devices, such as cable modems or wireless connections, could also be 
considered APs. 

NOTE 2: In the context of the present document, the network access is defined as IP-based network access to the 
Internet. 

access service: set of access methods provided to a user to access a service and/or a supplementary service 

NOTE: In the context of the present document, the service to be accessed is defined as the Internet. 

application service provider: third-party entity that manages and distributes software-based services and solutions to 
customers across a wide area network from a central data centre 

NOTE: In the context of the present document, a company that offers services that are accessible to users who 
have connectivity via the Internet. 

interconnect network: network connecting the AP and the IAP, across which the layer 2 tunnel is established 

internet access provider: company that provides access to the Internet 

NOTE: The IAP provides subscribers a username, password and an IP address that enables subscribers to log onto 
the Internet for virtual connectivity to Application Service Providers. 

layer 2: link layer, as defined in RFC 1 122 [3] 

layer 2 interception: lawful interception using technology that can access layer 2 information 
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physical line termination point: point in the access provider's infrastructure where the physical line to the customer is 
terminated 

EXAMPLE: xDSL-line termination point, Cable-line termination point, Ethernet-line termination point. 

tunnel router: router that is an endpoint of a layer 2 tunnel; there are at least two tunnel routers for each layer 2 tunnel 



3.2 



Abbreviations 



For the purposes of the present document, the following abbreviations apply: 

AAA Authentication, Authorization and Accounting 

AP Access Provider 

ASN.l Abstract Syntax Notation 1 

ASP Application Service Provider 

ATM Asynchronous Transfer Mode 

CC Content of Communication 

CIN Communication Identity Number 

CMTS Cable Modem Termination System 

CPE Customer Premises Equipment 

CSP Communications Service Provider 

DF Delivery Function 

DHCP Dynamic Host Configuration Protocol 

DSL Digital Subscriber Line 

DSLAM Digital Subscriber Line Access Multiplexer 

HI1 Handover Interface 1 (for Administrative Information) 

HI2 Handover Interface 2 (for Intercept Related Information) 

HI3 Handover Interface 3 (for Content of Communication) 

IAP Internet Access Provider 

IAS Internet Access Service 

INI Internal Network Interface 

IP Internet Protocol 

IRI Intercept Related Information 

ISDN Integrated Services Digital Network 

L2F Layer 2 Forwarding 

L2TP Layer 2 Tunneling Protocol 

LAES Lawful Authorized Electronic Surveillance 

LCP Link Control Protocol 

LEA Law Enforcement Agency 

LEMF Law Enforcement Monitoring Facility 

LI Lawful Interception 

LIID Lawful Interception Identifier 

MAC Media Access Control 

MD Mediation Device 

NAS Network Access Server 

PLTP Physical Line Termination Point 

PPP Point-to-Point Protocol 

PPTP Point-to-Point Tunneling Protocol 

PSTN Public Switched Telephone Network 

RADIUS Remote Authentication Dial In User Service 

SP Service Provider 

VoIP Voice over Internet Protocol 

WLAN Wireless Local Area Network 
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General 



4.1 



Access network 



An access network provides layer 2 connectivity from the Physical Line Termination Point (PLTP) for end-users to an 
Application Service Provider (ASP) through an Internet Access Provider (IAP). The access provided may be via a 
telephone, cable, or wireless-network. The present document describes the LI at the access network. 

The figures contained in the following clauses do not necessarily refer to physical configurations but identify the 
business roles associated with various scenarios to provide services. A provider can have one or more of following 
roles: Access Provider (AP), Internet Access Provider (IAP) and Application Provider. 

Lawful interception of communications must accommodate a multitude of scenarios for public telecommunications. 
Four representative scenarios are described below. 

4.1.1 Scenario 1 

This scenario reflects the situation in which the three identified provider roles are provisioned by independent providers. 

For example, an ASP provides Call Control for VoIP service, and is using the transport facilities of an IAP for 
connectivity to the AP. 

In this scenario, the specifications of the present document are relevant to the AP, while the IAP and ASP may be 
involved with interception according to the specifications of TS 102 232-2 [13] and TS 102 232-3 [12]. 




Figure 1 : Scenario in which access, transport and application services 
are offered by three different providers 
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4.1.2 Scenario 2 



This scenario reflects the situation in which a network operator is acting only as an AP, and not as an IAP or ASP. 

In this scenario, the specifications of the present document are relevant to the AP, while the IAP / ASP may be involved 
with interception according to the specifications of TS 102 232-2 [13] and TS 102 232-3 [12]. 




Figure 2: Scenario in which access is offered by a provider separate from the one 
that is offering Internet transport and application service 

4.1.3 Scenario 3 

This scenario reflects the situation in which the AP and IAP roles are offered by a single provider. 

In this scenario the Service Provider (SP), having roles as an AP and an IAP, may be involved with interception 
according to TS 102 232-3 [12] and layer 2 interception is not preferred. 





Figure 3: Scenario in which access and Internet transport are offered by a 
single provider that does not offer application service 
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4.1.4 Scenario 4 

This scenario reflects the situation in which the AP, IAP and ASP roles are offered by a single provider. 

In this scenario the service provider, having roles as an AP, an IAP and an ASP, may be involved with interception 
according to TS 102 232-2 [13] and TS 102 232-3 [12], and layer 2 interception is not preferred. 





Figure 4: Scenario in which access, transport and application services 
are offered by the same provider 

4.2 Lawful Interception (LI) requirements 

This clause lists the requirements for Lawful Interception. (LI). These requirements are derived from higher-level 
requirements listed in TS 101 331 [14] and TS 102 232-1 [2] and are specific to Internet Access Services (IAS). These 
requirements focus on both the administrative part of Internet Access for delivery over HI2 as well as capturing traffic 
for delivery over HI3. 

4.2.1 Target identity 

Where the special properties of a given service, and the justified requirements of the LEAs, necessitate the use of 
various identifying characteristics for determination of the traffic to be intercepted, the provider (CSP) shall ensure that 
the traffic can be intercepted on the basis of these characteristics. The target identity known by the layer 2 mechanisms 
is not an application or network identity; therefore, layer 2 interception must be registered against a known layer 2 
identity. The access network shall identify targeted activity by other means, e.g. the termination point of the xDSL-line 
or the Cable-line. 

In each case the characteristics shall be identifiable without unreasonable effort and shall be such that they allow clear 
determination of the traffic to be intercepted. 

The target identity should uniquely identify the target in the provider's network. The target identity will be dependent on 
the access mechanism used and the parameters available with the AP. The target identity could be based on: 

a) MAC address or vMAC. For example, the MAC address of the cable modem which is identified by the CMTS 
can be requested to identify the target identity. 

b) xDSL-line termination point, including, e.g. the IP- address of the Network Access Server (NAS), and the 
NAS port; the NAS port is identified by the ATM virtual path, virtual channel and port number (slot, sub-slot 
and port). 

c) Cable-line termination point (including e.g. IP address, interface information of the CMTS). 

d) DHCP option 82, line Id and remote Id, as defined in RFC 3046 [5]. 

e) Calling party number (E.164 [7], Network-provided or User-provided, verified and passed). 
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f) Other unique identifier agreed between AP and LEA. 

4.2.2 Result of interception 

The network operator shall provide Intercept Related Information (IRI), in relation to each target service: 

a) when an attempt is made by the target to utilize the network; 

b) when an attempt is made to reach the target from the network; 

c) when an access to the network is permitted; 

d) when an access to the network is not permitted; 

e) when an access to the network is terminated. 
The IRI shall contain: 

a) identities used by or associated with the target identity; 

b) details of services used and their associated parameters; 

c) information relating to status; 

d) timestamps. 

Content of Communication (CC) shall be provided for every layer 2 datagram sent through the access network that is 
addressed to, or sent from, the line termination point of the target. 

The CC shall be a bit-exact copy of every intercepted layer 2 datagram. 

4.2.3 Intercept related information messages 

IRI shall be conveyed to the LEMF in IRI data records. Four types of IRI data records are defined: 

1) IRI-BEGIN record at the first event of a communication attempt, opening the IRI transaction; 

2) IRI-END record at the end of a communication attempt, closing the IRI transaction; 

3) IRI-CONTINUE record at any time during a communication attempt within the IRI transaction; 

4) IRI-REPORT record used in general for non-communication related events. 

For a description of the use and purpose of the various IRI data records refer to TS 102 232-1 [2]. Which IRI events are 
available for the different IRI data record types is described in clause 6.1. 

4.2.4 Time constraints 

Intercept Related Information shall be transmitted without undue delay. This delay should only be caused by the access 
protocol handling and the automated forwarding of this information to the delivery function. 

5 System model 

5.1 Reference configuration 

Figure 5 contains the reference configuration for the lawful interception. 
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Figure 5: Reference configuration for lawful interception 

The reference configuration is only a logical representation of the entities involved in lawful interception and does not 
mandate separate physical entities. This allows for higher levels of integration. 

The messages sent in an implementation-specific manner between the Administrative Function and the other Access 
Provider domain entities may contain: 

target identities; 

correlation information; 

information whether the CC shall be provided; 

the address of Mediation Function 2 for IRI; 

the address of Mediation Function 3 for the intercepted CC; 

the address for delivery of IRI (= LEMF address); 

the address of delivery for CC (= LEMF address); 

Lawful Interception Identifier (LIID). 

The messages sent in an implementation-specific manner between the Interception Function and Mediation Function 2 
contains the IRI. 

The messages sent in an implementation-specific manner between the Interception Function and Mediation Function 3 
contains the CC. 



5.2 



Reference states 



5.2.1 Logon 

If the xDSL-line or cable line is not owned by the party that provides the authentication server, then user identification 
takes place in the network of the AP and the user identity and access request are forwarded to the authentication server 
of the IAP. To exchange data between the user and IAP, a layer 2 tunnel is established, e.g. a L2TP tunnel per 
RFC 2661 [10]. All data between the IAP and the user is transported via this tunnel. If access is granted, an IP address 
is provided by the IAP and communicated to the user via the layer 2 tunnel and then the user can communicate with the 
Internet via the layer 2 tunnel. 
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If a layer 2 tunnel to an IAP is established, other users may be using the same tunnel, as only one tunnel is established 
typically to each IAP. 

5.2.2 Data transport 

While having an active, virtual IP connection, the CPE can transmit IP datagrams towards any IP-enabled destination 
connected to the Internet. These datagrams may contain other, higher-level IP- based protocols. Similarly, the CPE can 
receive IP datagrams directed towards it from any IP-enabled source connected to the Internet. 

It is possible that the CPE is connected to an Access Network that does not provide the Internet Access, e.g. if the AP 
and the IAP are different parties as demonstrated in clauses 4.1.1 and 4.1.2. The AP provides the xDSL-line and routes 
all datagrams that are destined to the IAP through a layer 2 tunnel via a gateway to the network of the IAP. Thus, all 
datagrams from the user CPE are encapsulated in a specific layer 2 protocol (e.g. L2TP RFC 2661 [10]) and transmitted 
by the AP to the IAP. 



Tunnel router 
AP-site 




Tunnel router 
lAP-site 



Layer 2 tunnel 




Figure 6: Layer 2 tunnel shared by multiple users 

Figure 6 shows the usage of a layer 2 tunnel. It is possible that only the traffic associated with one PLTP connected to 
the CPE of one target is intercepted, as represented by the white IP-stream in figure 6. The other connections through 
the tunnel are not intercepted. If the target session is terminated and the other connections are not terminated, the layer 2 
tunnel stays online. 

It is also possible that the communication of more than one target may be intercepted via the same layer 2 tunnel. 
Furthermore, it is possible that a single IP-stream may be the subject of multiple, simultaneous lawful interceptions; 
therefore, that single, intercepted IP-stream may be delivered to multiple LEMFs, or multiple copies of the stream may 
have to be delivered to the same LEMF (once for each interception authorization). 

5.2.3 Logoff 

When a user logs off, the client running on the CPE will negotiate the closure of the session with the NAS of the AP. 
For example, a PPP session may be closed through an exchange of LCP Terminate packets (see RFC 1570 [4] for LCP 
and RFC 1661 [1 1] for PPP). Next, the NAS informs the authentication server in the IAP of the session closure and may 
provide statistics on the session as well. 

5.2.4 Unexpected connection loss 

During an active data session, the virtual connection may terminate unexpectedly for reasons such as loss of carrier, link 
quality failure, or the expiration of an idle-period timer. In such cases there can be no user-provided logoff indication, 
and it is up to the NAS to detect the connection loss and to propagate the session closure towards the accounting server 
of the IAP. 
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Intercept Related Information 



6.1 IRI events 

The following IRI-E vents are applicable, if the traffic to and from the target is through the network of the AP. 
Figure 7 shows the life cycle of a generic internet access session. 
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NOTE: Depending on the signalling implementation, there may be duplicate events due to resends. Resends of 
events are be ignored as far as state-changes are concerned; this is not depicted in the diagram. 

Figure 7: State diagram for an Internet session 

Subject to agreement on a national level, it is acceptable to perform the CIN allocation on the Access- Accept rather than 
the Access-Attempt. If this option is chosen, the CSPs shall allocate a new CIN only on the IRI-BEGIN messages; and, 
send Access- Attempt, Access-Reject and Access-Failed as standalone messages not associated with any other CC or 
IRI. 

Figure 7 allows for a model where detailed information is available regarding the identification and authentication 
process as well as for a simple model where just a session start notification is available. 
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Table 1 : IRI events (Layer 2) 



IRI Event 


Description 


IRI Record 


Access attempt 


A target requests access to the Internet Access Service (IAS). 


REPORT 


Access_accept 


The network elements are triggered to erect a layer 2 tunnel 
between the user and the foreign IAP network. 


BEGIN 


Access reject 


The access is refused. 


REPORT 


Access failed 


The Access_attempt timed-out or failed otherwise. 


REPORT 


Interim Update 


Intermediate status report on service status or usage. 


CONTINUE 


Access_end 


The communication between the user and the IAP network 
terminated. This may be for numerous reasons that are not visible to 
the AP (e.g. the user logs off or shortage of network capacity 
between the AP and the IAP) (see note). 


END 


Start of 
Interception 
Session Active 


As sessions can be active over longer periods, it is not unlikely for 
an intercept to start after a user session has started already. 
Available information about the status of this session is sent to the 
LEA. 


BEGIN 


NOTE: If there are other connections still using the same tunnel, the tunnel remains available. 



In case of LI is being activated during an already active internet session, which the provider is aware of, this is 
recommended to be treated by generating an BEGIN IRI Message to mark this start of interception. The specific event 
type of startOflnterceptionWithSessionActive is used for this case. If LI is being deactivated during an established 
internet session, no END IRI Message will be transmitted. The end of interception can be communicated to the LEA by 
other means (e.g. HI 1). 



6.2 



HI2 attributes 



The attributes of IRI information for layer 2 interception is dependent upon the type of access technology utilized. 
Annex A defines for each technology that is relevant to the present document in which of the IRI messages a parameter 
value must be provided. 



Content of Communication (CC) 



CC is provided for every layer 2 datagram sent through the AP's network that is addressed to, or sent from, the line 
termination point of the target. 

The CC payload contains a copy of the intercepted layer 2 datagram. 

NOTE: The ASN. 1 definition for CC is presented as the L2CC PDU in clause 8 ASN. 1 for IRI and CC. 
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8 ASN.1 forlRlandCC 

8.1 ASN.1 specification 

The ASN.1 (ITU-T Recommendation X.680 [6]) module that represents the information in the present document and 
meets all stated requirements is shown below. TR 102 503 (see bibliography) gives an overview over the relevant 
Object Identifiers (OID) used in ASN.1 modules of the Lawful Intercept specifications and point to the specification 
where the modules can be found. 

L2AccessPDU 

{itu-t(O) identif ied-organization (4) etsi(O) securityDomain (2) lawfullntercept (2 ) 
li-ps(5) 12Access(4) version4(4)} 

DEFINITIONS IMPLICIT TAGS ::= 
BEGIN 



Object Identifier Definition 



12lRIObjId RELATIVE-OID ::= {li-ps(5) 12Access(4) 


version4 (4) iRI (1) } 


12CCObjId RELATIVE-OID ::= {li-ps(5) 12Access(4) 


version4 (4) cC (2) } 


12lRIOnlyObjId RELATIVE-OID ::= {li-ps(5) 12Access(4) 


version4(4) iRIOnly(3)} 


— all three definitions relative to {itu-t (0) identified- 


organization (4) 


— etsi(0) securityDomain (2) lawfulintercept (2 ) } 





L2 Communications Contents 



L2CC 


: := SEQUENCE 








i 

12CCObjId 


[0] RELATIVE-OID, 








12CCContents 


[1] CHOICE 








{ 


12TP 


[1] OCTET STRING, 










— The 


L2TP protocol is used 










12F 


[2] OCTET STRING, 










— The 


L2F protocol is used 










pPTP 


[3] OCTET STRING, 










— The 


PPTP protocol is used 










pPP 


[4] OCTET STRING, 










— The 


PPP protocol is used 










ethernet 


[5] OCTET STRING, 










— The 


ethernet protocol is used 










12ATM2684 


[6] OCTET STRING 








} 
} 


— The 


protocol RFC 2684, method 


"LLC Encapsulation for Bridged Protocols' 


[16] 


is used 



Intercept-related information for general L2-Access 



L2IRI : := SEQUENCE 

{ 

12lRIObjId [0] RELATIVE-OID, 

12lRIContents [1] L2IRIContents, 

} 
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L2lRIContents ::= SEQUENCE 

{ 

accessEventType [0] AccessEventType, 

internet AccessType [2] InternetAccessType OPTIONAL, 

targetNetworkID [5] UTF8String (SIZE (1..20)) OPTIONAL, 

— Target network ID (e.g. MAC address, PSTN number) 
targetCPEID [6] UTF8String (SIZE (1..128)) OPTIONAL, 

— CPEID (e.g. Relay Agent info, computer name) 
targetLocation [7] UTF8String (SIZE (1 .. 64) ) OPTIONAL, 

— <for further study> 

nASPortNumber [8] INTEGER (0 .. 4294967295) OPTIONAL, 

— The NAS port number used by the target 
callBackNumber [9] UTF8String (SIZE (1..20)) OPTIONAL, 

— The number used to call-back the target 
startTime [10] GeneralizedTime OPTIONAL, 

— The start date-time of the session or lease 
endTime [11] GeneralizedTime OPTIONAL, 

— The end date-time of the session or lease 
endReason [12] EndReason OPTIONAL, 

— The reason for the session to end 

octet sReceived [13] INTEGER (0 .. 18446744073709551615) OPTIONAL, 

— The number of octets the target received 

octetsTransmitted [14] INTEGER (0 .. 18446744073709551615) OPTIONAL, 

— The number of octets the target transmitted 
rawAAAData [15] OCTET STRING OPTIONAL 

— Content of the raw AAA record 



AccessEventType : := ENUMERATED 

{ 

access At tempt (0) , 

— A target requests access to the IAS 
accessAccept (1) , 

— IAS access is granted to the target, the session begins 
accessReject (2) , 

— IAS access is refused to the target 
accessFailed(3) , 

— The Access_attempt timed-out or failed otherwise 
sessionStart (4) , 

— A target starts using the IAS; not in use anymore from version 4(4) , 
sessionEnd(5) , 

— A target stops using the IAS; not in use anymore from version 4(4) . 
interimUpdate ( 6 ) , 

— Intermediate status report on service status or usage 
unknown ( 7 ) , 

startOf InterceptionWithSessionActive (8) , 

— LI is started on a target who already has an active session 
accessEnd(9) 

— A target stops using the IAS, the session ends. 



InternetAccessType : := ENUMERATED 

{ 

undefined ( ) , 
dialUp ( 1 ) , 

— IAS via DialUp access 
xDSL(2) , 

— IAS via DSL access 
cableModem ( 3 ) , 

— IAS via Cable access 
IAN ( 4 ) , 

— IAS via LAN access 
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EndReason 



ENUMERATED 



undefined ( ) , 
regularLogof f ( 1 ) , 

— The target logged off 
connect ionLoss (2) , 

— The connection was lost 
connect ionTimeout (3) , 

— The connection timed-out 
leaseExpired ( 4 ) , 

— The DHCP lease expired 



Intercept-related information for IRI-Only intercepts 



L2lRIOnly 



SEQUENCE 



12lRIOnlyObjId 
12protocolInformation 



[0] RELATIVE-OID, 

[2] L2ProtocolInf ormation, 



12AggregatedNbrOf Packets [3] INTEGER OPTIONAL, 



12AggregatedNbrOf Bytes 



[4] INTEGER OPTIONAL, 



L2ProtocolInf ormation ::= ENUMERATED 






{ 

12ProtocolL2tp(l) , 






— The L2TP protocol is used 






12ProtocolL2f (2) , 






— The L2F protocol is used 






12ProtocolPptp(3) , 






— The PPTP protocol is used 






12ProtocolPpp ( 4 ) , 






— The PPP protocol is used 






ethernetProtocol (5) , 






— The ethernet protocol is used 






undefined ( 6 ) , 






12ProtocolATM2684 (7) 






— The protocol RFC 2684, method "LLC Encapsulation for Bridged Protocols" 

} 


[16] 


is used 



END 



end of L2AccessPDU 
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Annex A (normative): 
Reference network topologies 

There are different possible network topologies, dependent upon the means of network access: 

a) xDSL access. 

b) Cable modem access. 

c) WLAN access. 



A.1 xDSL access 



Internet Access over the local loop by means of using specialized equipment for achieving a high bandwidth over 
copper wire is commonly referred to as xDSL Access. There is great variety of possible architectures and technologies 
that can be applied for realizing an xDSL network. Therefore, figure A. 1 only shows the principal equipment involved 
in this kind of Internet Access. 




Figure A.1 : Example of xDSL access 

In some cases, the services of an AP and IAP are offered by a single company and the PPP session of a user is 
terminated in a gateway to the Internet. In this case, the intercepted data may be provided from layer 3, as specified in 
TS 102 232-3 [12]. 

In other cases, the services of an AP and IAP are split between different companies. The datagrams of the tunnel routers 
are collected by a NAS that belongs to the AP. These datagrams are tunnelled through the network using a specific 
tunnelling protocol (e.g. L2F as defined in RFC 2341 [8], L2TP as defined in RFC 2661 [10], PPTP as defined in 
RFC 2637 [9]) to another tunnel router that is operated by the IAP. This second router represents the termination point 
of the user's PPP session and initiates authentication and authorization, e.g. through the AAA on the IAP's RADIUS- 
Server. Thus, on the AP side, only layer 2 information is available. 

A.1 .1 Events and information 

This clause describes the information sent from the Delivery Function (DF) to the Law Enforcement Monitoring 
Facility (LEMF) to support Lawfully Authorized Electronic Surveillance (LAES). The information is described as 
records and the parameters carried by a record. This focus is on describing the information being transferred to the 
LEMF. 

The value in the Mandatory / Optional / Conditional (MOC) column in the following tables indicates whether inclusion 
of the indicated parameter in the indicated record is Mandatory (M), Optional (O), or Conditional (C). 

Each record described in this clause consists of a set of parameters. Each parameter is either: 

• A Mandatory (M) value means that the sender of the message shall always include this parameter in the 
message. 
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An Optional (O) value means that the sender of the message may include this parameter in the message at the 
discretion of the implementation. 

A Conditional (C) value means that the sender of the message shall include this parameter in the message 
when the conditions specified in the Description/Conditions column are met. 

Table A.1 : Access_attempt REPORT Record 



Attribute 


MOC 


Description/Conditions 


HI2 ASN.1 parameter 


EventType 


M 


Type of IRI event (e.g. Access_attempt, Access_failed, 
Session_start, etc.). 


accessEventType 


AccessType 


C 


The type of internet access (e.g. Ethernet, ADSL, Cable 
Modem, LAN Access); to be included if accessible by 
the provider. 


internetAccessType 


targetNetworkID 


C 


The MAC address of the target CPE for layer 2 access 
or the target PSTN/ISDN number for dial-up; to be 
included if accessible by the provider. 


targetNetworkID 


targetCPEID 


C 


Secondary identification of the target CPE (e.g. DHCP 
Relay Agent Information, computer name, etc.); to be 
included if accessible by the provider. 


targetCPEID 


targetLocation 


C 


Location information (to be defined); to be included if 
accessible by the provider. 


targetLocation 


nASPortNumber 


C 


The 32-bit NAS port number the target uses for dial-up 
access. The content and the structure are defined by 
the network access provider; to be included if 
accessible by the provider. 


nASPortNumber 


callBackNumber 


C 


The target PSTN/ISDN number used for call-back by 
the NAS; to be included if accessible by the provider. 


callBackNumber 


rawAAAData 


C 


An unformatted OCTET string that may contain the raw 
AAA records as they were intercepted; to be included if 
accessible by the provider. 


rawAAAData 



Table A.2: Access_accept REPORT Record 



Attribute 


MOC 


Description/Conditions 


HI2 ASN.1 parameter 


EventType 


M 


Type of IRI event (e.g. Access_attempt, Accessjailed, 
Session start, etc.). 


accessEventType 


AccessType 


C 


The type of internet access (e.g. Ethernet, ADSL, Cable 
Modem, LAN Access); to be included if accessible by 
the provider. 


internetAccessType 


targetNetworkID 


C 


The MAC address of the target CPE for layer 2 access 
or the target PSTN/ISDN number for dial-up; to be 
included if accessible by the provider. 


targetNetworkID 


targetCPEID 


C 


Secondary identification of the target CPE (e.g. DHCP 
Relay Agent Information, computer name, etc.); to be 
included if accessible by the provider. 


targetCPEID 


targetLocation 


C 


Location information (to be defined); to be included if 
accessible by the provider. 


targetLocation 


nASPortNumber 


C 


The 32-bit NAS port number the target uses for dial-up 
access. The content and the structure are defined by 
the network access provider; to be included if 
accessible by the provider. 


nASPortNumber 


callBackNumber 


C 


The target PSTN/ISDN number used for call-back by 
the NAS; to be included if accessible by the provider. 


callBackNumber 


rawAAAData 


C 


An unformatted OCTET string that may contain the raw 
AAA records as they were intercepted; to be included if 
accessible by the provider. 


rawAAAData 
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Table A.3: Access_reject REPORT Record 



Attribute 


MOC 


Description/Conditions 


HI2 ASN.1 parameter 


EventType 


M 


Type of IRI event (e.g. Access_attempt, Access_failed, 
Session_start, etc.). 


accessEventType 


AccessType 


C 


The type of internet access (e.g. Ethernet, ADSL, Cable 
Modem, LAN Access); to be included if accessible by 
the provider. 


internetAccessType 


targetNetworkID 


C 


The MAC address of the target CPE for layer 2 access 
or the target PSTN/ISDN number for dial-up; to be 
included if accessible by the provider. 


targetNetworkID 


targetCPEID 


C 


Secondary identification of the target CPE (e.g. DHCP 
Relay Agent Information, computer name, etc.); to be 
included if accessible by the provider. 


targetCPEID 


targetLocation 


C 


Location information (to be defined); to be included if 
accessible by the provider. 


targetLocation 


nASPortNumber 


C 


The 32-bit NAS port number the target uses for dial-up 
access. The content and the structure are defined by 
the network access provider; to be included if 
accessible by the provider. 


nASPortNumber 


callBackNumber 


C 


The target PSTN/ISDN number used for call-back by 
the NAS; to be included if accessible by the provider. 


callBackNumber 


endReason 


M 


The reason for the session to end (e.g. logoff, 
connection loss, lease expiration); to be included if 
accessible by the provider. 


endReason 


rawAAAData 


C 


An unformatted OCTET string that may contain the raw 
AAA records as they were intercepted; to be included if 
accessible by the provider. 


rawAAAData 



Table A.4: Access failed REPORT Record 



Attribute 


MOC 


Description/Conditions 


HI2 ASN.1 parameter 


EventType 


M 


Type of IRI event (e.g. Access_attempt, Accessjailed, 
Session_start, etc.). 


accessEventType 


AccessType 


C 


The type of internet access (e.g. Ethernet, ADSL, Cable 
Modem, LAN Access); to be included if accessible by 
the provider. 


internetAccessType 


targetNetworkID 


C 


The MAC address of the target CPE for layer 2 access 
or the target PSTN/ISDN number for dial-up; to be 
included if accessible by the provider. 


targetNetworkID 


targetCPEID 


C 


Secondary identification of the target CPE (e.g. DHCP 
Relay Agent Information, computer name, etc.); to be 
included if accessible by the provider. 


targetCPEID 


targetLocation 


C 


Location information (to be defined); to be included if 
accessible by the provider. 


targetLocation 


nASPortNumber 


C 


The 32-bit NAS port number the target uses for dial-up 
access. The content and the structure are defined by 
the network access provider; to be included if 
accessible by the provider. 


nASPortNumber 


callBackNumber 


C 


The target PSTN/ISDN number used for call-back by 
the NAS; to be included if accessible by the provider. 


callBackNumber 


endReason 


M 


The reason for the session to end (e.g. time out); to be 
included if accessible by the provider. 


endReason 


rawAAAData 


C 


An unformatted OCTET string that may contain the raw 
AAA records as they were intercepted; to be included if 
accessible by the provider. 


rawAAAData 
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Table A.5: Session start BEGIN record 



Attribute 


MOC 


Description/Conditions 


HI2 ASN.1 parameter 


EventType 


M 


Type of IRI event (e.g. Access_attempt, Access_failed, 
Session_start, etc.). 


accessEventType 


AccessType 


C 


The type of internet access (e.g. Ethernet, ADSL, Cable 
Modem, LAN Access); to be included if accessible by 
the provider. 


internetAccessType 


targetNetworkID 


C 


The MAC address of the target CPE for layer 2 access 
or the target PSTN/ISDN number for dial-up; to be 
included if accessible by the provider. 


targetNetworkID 


targetCPEID 


C 


Secondary identification of the target CPE (e.g. DHCP 
Relay Agent Information, computer name, etc.); to be 
included if accessible by the provider. 


targetCPEID 


targetLocation 


C 


Location information (to be defined); to be included if 
accessible by the provider. 


targetLocation 


nASPortNumber 


C 


The 32-bit NAS port number the target uses for dial-up 
access. The content and the structure are defined by 
the network access provider; to be included if 
accessible by the provider. 


nASPortNumber 


callBackNumber 


C 


The target PSTN/ISDN number used for call-back by 
the NAS; to be included if accessible by the provider. 


callBackNumber 


startTime 


M 


The date and time of the start of the session (or lease). 


startTime 


rawAAAData 


C 


An unformatted OCTET string that may contain the raw 
AAA records as they were intercepted; to be included if 
accessible by the provider. 


rawAAAData 



Table A.6: lnterim_Update CONTINUE record 



Attribute 


MOC 


Description/Conditions 


HI2 ASN.1 parameter 


EventType 


M 


Type of IRI event (e.g. Access_attempt, Accessjailed, 
Session_start, etc.). 


accessEventType 


AccessType 


C 


The type of internet access (e.g. Ethernet, ADSL, Cable 
Modem, LAN Access); to be included if accessible by 
the provider. 


internetAccessType 


targetNetworkID 


C 


The MAC address of the target CPE for layer 2 access 
or the target PSTN/ISDN number for dial-up; to be 
included if accessible by the provider. 


targetNetworkID 


targetCPEID 


C 


Secondary identification of the target CPE (e.g. DHCP 
Relay Agent Information, computer name, etc.); to be 
included if accessible by the provider. 


targetCPEID 


targetLocation 


C 


Location information (to be defined); to be included if 
accessible by the provider. 


targetLocation 


nASPortNumber 


C 


The 32-bit NAS port number the target uses for dial-up 
access. The content and the structure are defined by 
the network access provider; to be included if 
accessible by the provider. 


nASPortNumber 


callBackNumber 


C 


The target PSTN/ISDN number used for call-back by 
the NAS; to be included if accessible by the provider. 


callBackNumber 


startTime 


M 


The date and time of the Interim Update. 


startTime 


rawAAAData 


C 


An unformatted OCTET string that may contain the raw 
AAA records as they were intercepted; to be included if 
accessible by the provider. 


rawAAAData 
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Table A.7: Session end END record 



Attribute 


MOC 


Description/Conditions 


HI2 ASN.1 parameter 


EventType 


M 


Type of IRI event (e.g. Access_attempt, Access_failed, 
Session_start, etc.). 


accessEventType 


AccessType 


C 


The type of internet access (e.g. Ethernet, ADSL, Cable 
Modem, LAN Access); to be included if accessible by 
the provider. 


internetAccessType 


targetNetworkID 


C 


The MAC address of the target CPE for layer 2 access 
or the target PSTN/ISDN number for dial-up; to be 
included if accessible by the provider. 


targetNetworkID 


targetCPEID 


C 


Secondary identification of the target CPE (e.g. DHCP 
Relay Agent Information, computer name, etc.); to be 
included if accessible by the provider. 


targetCPEID 


targetLocation 


C 


Location information (to be defined); to be included if 
accessible by the provider. 


targetLocation 


nASPortNumber 


C 


The 32-bit NAS port number the target uses for dial-up 
access. The content and the structure are defined by 
the network access provider; to be included if 
accessible by the provider. 


nASPortNumber 


callBackNumber 


C 


The target PSTN/ISDN number used for call-back by 
the NAS; to be included if accessible by the provider; to 
be included if accessible by the provider. 


callBackNumber 


endTime 


M 


The date and time of the end of the session (or lease) 


endTime 


endReason 


C 


The reason for the session to end (e.g. logoff, 
connection loss, time out, lease expiration); to be 
included if accessible by the provider. 


endReason 


octetsReceived 


C 


The number of octets the target received during the 
session; to be included if accessible by the provider. 


octetsReceived 


octetsTransmitted 


C 


The number of octets the target sent during the 
session; to be included if accessible by the provider. 


octetsTransmitted 


rawAAAData 


C 


An unformatted OCTET string that may contain the raw. 
AAA records as they were intercepted; to be included if 
accessible by the provider. 


rawAAAData 



Table A.8: Start of Interception Session Active BEGIN record 



Attribute 


MOC 


Description/Conditions 


HI2 ASN.1 parameter 


EventType 


M 


Type of IRI event (e.g. Access_attempt, Accessjailed, 
Session_start, etc.). 


accessEventType 


AccessType 


C 


The type of internet access (e.g. Ethernet, ADSL, Cable 
Modem, LAN Access); to be included if accessible by 
the provider. 


internetAccessType 


targetNetworkID 


C 


The MAC address of the target CPE for layer 2 access 
or the target PSTN/ISDN number for dial-up; to be 
included if accessible by the provider. 


targetNetworkID 


targetCPEID 


C 


Secondary identification of the target CPE (e.g. DHCP 
Relay Agent Information, computer name, etc.); to be 
included if accessible by the provider. 


targetCPEID 


targetLocation 


C 


Location information (to be defined); to be included if 
accessible by the provider. 


targetLocation 


nASPortNumber 


C 


The 32-bit NAS port number the target uses for dial-up 
access. The content and the structure are defined by 
the network access provider; to be included if 
accessible by the provider. 


nASPortNumber 


callBackNumber 


C 


The target PSTN/ISDN number used for call-back by 
the NAS; to be included if accessible by the provider. 


callBackNumber 


startTime 


C 


The date and time of the start of the session (or lease); 
to be included if accessible by the provider. 


startTime 


rawAAAData 


c 


An unformatted OCTET string that may contain the raw 
AAA records as they were intercepted; to be included if 
accessible by the provider. 


rawAAAData 
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A.2 Cable modem access 



The same scenarios for tunnelled sessions between the AP and the IAP, as described for xDSL access in clause A.l, 
could also apply for access to the internet via Cable Networks. When the AP and the IAP are two different companies, 
then a layer 2 tunnel could be used between them. When the target's traffic is intercepted by the AP, typically only 
layer 2 datagrams can be provided to the LEMF. Detailed information about interception of digital broadband cable 
access is provided in TS 101 909-20-1 and TS 101 909-20-2 (see bibliography). 



A.3 WLAN access 

Layer 2 interception in the WLAN network is for further study. 
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Annex B (informative): 

Stage 1 - RADIUS characteristics 

This annex provides information on RADIUS, specific to layer 2 interception. For more general information on 
RADIUS interception the reader is referred to annex A of TS 102 232-3 [12]. 



B.1 Network topology 



RADIUS can be deployed as one or more RADIUS servers acting on their own or in combination with a RADIUS 
proxy. This clause provides and overview of the use of a RADIUS proxy in a layer 2 environment. 



B.1.1 RADIUS proxy 



In case the Access Network provider is not the same party as the IAP, the Access Network provider will typically 
deploy a RADIUS proxy. This RADIUS proxy will receive the authentication and authorization request from the 
RADIUS client and forwards this to the actual RADIUS server. In case the AP provides its services to multiple IAPs, 
based on some attribute provided by the NAS, the appropriate RADIUS server of the appropriate IAP is selected. In the 
case of Dial-up access, for example, the PSTN number of the NAS the user has dialled can be used for this purpose. 






Figure B.1 : RADIUS proxy 

The RADIUS server will verify the password and authorization for the service against a customer database. The 
assignment of the IP address can be performed by either the RADIUS server or the RADIUS proxy, depending on 
network architecture decisions. In the latter case, the RADIUS proxy will typically assign IP addresses from ranges 
each belonging to a particular IAP. Alternatively, as mentioned previously, the IP address may also be assigned from 
the NAS operated by the AP. 
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Network based interception of both assignment and deassignment of IP addresses is most likely performed between the 
RADIUS proxy and the RADIUS server, since traffic between the RADIUS Client and the RADIUS proxy lays outside 
the infrastructure of the IAP. Alternatively, the RADIUS server can be extended with a function that will forward IP 
address assignment information to the interception function. 

NOTE: Another common element used to identify the final RADIUS server or IAP is a Network Access 

Identifier. If the Network Access Identifier " foo@bar.com " indicates user "foo" at IAP "bar.com", the 
RADIUS Proxy could forward the RADIUS requests to the RADIUS server for IAP "bar.com". 

If IP address assignment is done by the NAS operated by the AP, the interception of the IP address assignment and 
deassignment will most likely be performed between the RADIUS client and the IAP's RADIUS Accounting server. 




Traffic CPE1 « 

Traffic CPE2 [ 

Authentifi cation 
Intercepted traffic • 



Figure B.2: RADIUS proxy, authentication for tunnelled session 

Figure B.2 shows the authentication and authorization in cases where the user's session is tunnelled through the access 
network to the IAP network. The RADIUS proxy of the AP authenticates the user and triggers the RADIUS client 
(normally a NAS) to send all communication for this xDSL-line or the Cable-line through a layer 2 tunnel to the foreign 
IAP. All further information between the CPE and the IAP is exchanged via the layer 2 tunnel. Depending on the 
implementation of the RADIUS -Client, information about the beginning and end of the single user sessions may be 
signalled to the RADIUS-Proxy. The RADIUS-client on the AP-site, e.g. the NAS, may be used for copying the 
intercepted data to the MD. The layer 3 target information is unknown at the AP-site. 
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